Moving device to a different set of security restrictions - payload error.

lombarwi
New Contributor III

I am looking after MDM solution for my employer.

We have decided (for most things) to keep the setup as 'uniform' as possible for all users.

For some things, such as app functionality and the App Store 'blacklist' we have recently decided to introduce some subtle distinctions between normal users and managment. Right now, it's the difference of one chat app.

I duplicated the existing profile and changed its scope to exclusively 'Managment' devices. This is a static group, btw. My test device was in this group the entire time (before any changes to app policy were even hinted at) and got the new profile immediately. I could also verify this from lock screen text. Installing the otherwise 'blocked' app was not a problem.

I added a colleages iPhone to the management group but it seems that he is not receiving the new profile. There is no text on the lock screen to indicate which device management group he belongs to either. More worryingly it seems he can install just about any app (from the App Store) that he choose to! When I check the JAMF console for his iPhone I see this error...

"A Shared Device Configuration payload is already installed"

 

jamf100.jpg

Purely for the sake of context, all other devices are regarded as 'standard' in terms of restrictions and are not assigned into any specific group - they just fall under the umbrella of 'All Devices' when they are enrolled into JAMF and then switched on by the end-user. The standard restrictions has the management device group set as 'excluded'.

 

I've asked him too to check Settings > General > VPN & Device Managment. The list of restrictions is pretty short! I can still remotely wipe the deice, so not all contact has been lost!!

 

For an older test device, that has spent its entire career under standard restictions (but was nontheless recently added to the  static management group), I get the same problem. Does this mean that I have to wipe device remotely and then assign it back to the 'management' group so that it gets the corresponding permissions regarding device funtionality and black-listed apps? Also, must this be done within a certain time limit?

I had always thought that things could be done relatively 'dynamically' in JAMF.

 

Regards,

WL

 

1 ACCEPTED SOLUTION

lombarwi
New Contributor III

The problem has been resolved.

Can an admin mark this as 'resolved'? Thanks.

View solution in original post

3 REPLIES 3

lombarwi
New Contributor III

The problem has been resolved.

Can an admin mark this as 'resolved'? Thanks.

dlondon
Valued Contributor

Hi @lombarwi - it would be great if you explained how you resolved the issue. 

lombarwi
New Contributor III

Gladly. I had to open the management console for the device and click 'Renew MDM Profile' and then 'Send Blank Push'... although it could've been the opposite way around! In any case, the new set of restrictrions were sent to the device.

Somewhat worringly, there was a period when the device had practically no restrictions whatsoever! The user certainly took advantage of this fact. The bottom must've fallen out his world when otherwise 'forbibben' apps vanished into the ether (when the profile was applied to his device). JAMF brings out the sociopath and sadist in me. :-)